Uh, "the net" started out as the ARPANET created by the Department of Defence. When "the net" started, it *ONLY* had dangerous information on it (military stuff and the like) so the people checking their email and shopping on ebay are the newcomers here.
But I guess we should force all of the CDC and DoD off of the net until Windows XP users can get thier act together? Right?
Your conclusion has the following implied premise: "All worms are released after the exploit is made public"
This premise is false. If an exploit exists, a worm can be written. It does not need public exposure be so.
Keeping exploits in the dark only raises the bar on who can write them. This means a secret exploit can be used by professional hackers to gain access to "secure" networks and do really bad things, like steal data, until I am notified and can turn the service off. By making the exploit public, you can eliminate the threat of the professional hackers as well as the threat of the reverse-engineering hackers. But the worm comes out in a day and mucks with networks that are not being managed properly.
If you think there are not professional level system crackers with unknown exploits stealing data right now, you need to study security history some.
I believe we differ on this point. I want to keep my networks and data secure, and you want to keep worms from effecting the general population. While I understand worms are annoying, they are so annoying as to leave critical systems (air traffic control systems come to mind) vulnerable to prevent them.
Because sooner or later (if not already) most computers on the net will be run by the "lowest common denominator" people and not by elite like you.
But the data these people are protecting isn't (comparatively) important. So the people at the CDC in Atlanta should leave biological agent threats vulnerable, until the lowest common denominator "gets it"
There is a great deal of important information in play here. If the lowest common denominator has to put up with worms to protect it, I can live with that. I cannot live with dangerous information becoming public so 3rd graders can usr their 'puter to chat about whatever it is third graders chat about.
Like my grandma who "just wants to read her e-mail and surf the net"?
It the shoe fits... I'm not trying to insult your grandmother here, but it seems to me you want me to wait for her to get up to speed on network security before *I* can defend myself against potential worms. That's absolutely insane. I would be more inclined to agree to take her computer away until she learned how to operate it. But I'm not even close to agreeing to that.
So we leave responsible people in the dark (and at risk) until every last irresponsible person gets a clue. Let's not reduce important work to the lowest common denominator, ok?
I don't care if "most people won't install a quick fix for a security hole even if it was available from day 1," I will, so let me protect my network and let their networks burn. Because the people you're talking about have shown that they will not install a patch *months* after "a major security upgrade is released," so how does this security model help at all? Hell most of them aren't even aware of the vulnerability untill their machines slow to a crawl and they hear about a new worm on the local news. So why should I wait for them to patch before I protect myself?
So if some people have figured out an exploit in software and are exploiting it, then revealing it to the whole world is a... service?
Yes, it allows me to turn the software off, or take the machines down running it until I can patch it. Keeping me in the dark is doing me a disservice. That fact that a good deal of people are not vigilant about security and let their machines get exploited is no reason those of us who are vigilant should be penalized.
And I realize that 24 hours is not a lot of time to install a patch, but If you're serious about security, you stay up all night applying them if need be, and have vulnerability alerts going to a pager or cell phone. I don't understand how keeping it a secret and leaving people vunerable is better than allowing them to take *any* action to fix it.
You don't have to wait for the patch to shut down a service, or switch off a feature. As far as I'm concerned there should be a preliminary warning the moment the vendor is aware of an expliotable service, and a patch made available ASAP. Then people paying attention can get on with their day, and those who aren't can get hit when the worm comes out (after the patch is released)
Wired Magazine argues that we need a second Moore's law, this time about overall efficiencies of our computers and other electronic devices.
We need less laws not moore! Let the industry regulate itself. I can't believe that anyone would think moore gubmint regulation and red tape would make computers more efficient!! Unbelievabe!
What about offering "site licenses" to businesses?
We license it both ways. Well more actually, site, group, 1-3-5-more licences, all which can be added after the fact. If they wanted more licences, they just had to contact us and we would grant the additional installs on the install server. All of these options were made availabele to them, in additon to two extra (not paid for) installs.
Clearly, your customers have demonstrated that your approach to them is inadequate.
No, what they have demonstrated is they would like to license *one* copy, and install it on *several* machines. Purchasing a site license was made available to these people, they instead opted to buy once install many.
Pissed off customers are customers who shop elsewhere
Customers pay for things. The people we're talking about stopped being "customers" when they installed the single license the third time, now the are "copyright infringers" Interesting you don't make the distinction.
The existing legal climate works well to inhibit well-intentioned people from prirating.
You would think so, but this is often not the case. You are 100% correct about the people who would never buy it anyway, but modern anti-piracy technonologies focus on keeping the honest people honest, and not stopping college students.
The problem is, most people around the office (and at home) are not aware that loaning or giving a copy to a friend or co-worker is unauthorized. They really believe that they bought it, they can intall it wherever they want.
I helped author the technology over at GAPS and we had customers of our clients complain when they were unable to by one license and install it on more machines than the wrapper would allow. And we always allowed 2 additional installs per license. So, when they got to the fourth machine on a single machine license, we would get indignamt phone calls and/or e-mails, asking why it would not install. So the end-users not knowing when they are pirating is a huge problem.
It modifies itself in memory, not on the disk. If you set a flag to keep it from doing so, as in setting the code section as read only, then the wrapper would not function. Of course this means viruses could modify it in memory as well. But that's the price you pay.
There is just no reason for a program to ever modify its own executable code.
Apparently you've never written an anti-piracy wrapper for a Windows application. That's how the good ones do it, by decrypting/modifying thier own binary code section in memory. I guess as a GNU advocate, there is no need for anti-piracy programs, but some people butter their bread writing software and they can't just give it away.
Luckily xmpcrd already lets my linux machine record, id3tag and ogg/mp3 encode XM Radio. It can even search for substrings in songs/shows and record them as they appear. I can timeshift CPAN Radio all day. Just what a your political junkie needs. And now there is a new Punk Channel as well (Fungus 53). *Sweet*
Buy 5 powerfile jukeboxes. I use mine (only one) with MythVideo and some homebrew perl scripts. But If you get five of them you would just have to write a script to change disks and call mplayer or xine on the disc itself. You can get them on eBay for $400-$700 or buy them new for $1500-$2000.
If you don't mind compressing the movies then You can get 4, 640x480 resolution divx4 br:1800 movies per disc. And if you understood all the above you are well on your way.
If you designed and produced cars on a typical programmer's development schedule, you would probably have to pour oil into them while running to keep the fluid levels right.
And they would just explode for no reason sometimes.
I use a Vox2 docking station. You wire it (plug it into a jack) to your house wiring and any existing phone can use your cell to dial out. (You press # for send) No land line required.
Military HMMWV will do 100 MPH, The reason the convoys go so slow is the convoy marching orders usually include a maximum convoy speed. But Get one of them on the German autobahn, and you can GO!
They same one all able-bodied males at least 17 years of age and, except as provided in section 313 of title 32, under 45 years of age who are, or who have made a declaration of intention to become, citizens of the United States and of female citizens of the United States who are members of the National Guard are in. How about you?
I would always choose to protect those who choose to be informed than the willfully ignorant.
Why sbould the people who take the time to keep informed be sacrificed to protect the people who have shown that they won't install a patch if it's been in the mainstream press for a month.
I wish they would too. There is nothing worse than finding an exploit that gives me total access to any network I want, and then when some other chucklehead finds it, blabs all over the net, and then Network Administrators start locking down the ports I use to run willy-nilly through their network. I would have about another month to own their network before the patch comes out. But noooo, some jerkhead has to cut me off a month early. And I have to find an unknown exploit all over again.
Maybe I should post anonymously, nah to hell with it.
Slashdot Mirror
Uh, "the net" started out as the ARPANET created by the Department of Defence. When "the net" started, it *ONLY* had dangerous information on it (military stuff and the like) so the people checking their email and shopping on ebay are the newcomers here.
But I guess we should force all of the CDC and DoD off of the net until Windows XP users can get thier act together? Right?
Yeah, that will happen.
Your conclusion has the following implied premise:
"All worms are released after the exploit is made public"
This premise is false. If an exploit exists, a worm can be written. It does not need public exposure be so.
Keeping exploits in the dark only raises the bar on who can write them. This means a secret exploit can be used by professional hackers to gain access to "secure" networks and do really bad things, like steal data, until I am notified and can turn the service off. By making the exploit public, you can eliminate the threat of the professional hackers as well as the threat of the reverse-engineering hackers. But the worm comes out in a day and mucks with networks that are not being managed properly.
If you think there are not professional level system crackers with unknown exploits stealing data right now, you need to study security history some.
I believe we differ on this point. I want to keep my networks and data secure, and you want to keep worms from effecting the general population. While I understand worms are annoying, they are so annoying as to leave critical systems (air traffic control systems come to mind) vulnerable to prevent them.
Because sooner or later (if not already) most computers on the net will be run by the "lowest common denominator" people and not by elite like you.
But the data these people are protecting isn't (comparatively) important. So the people at the CDC in Atlanta should leave biological agent threats vulnerable, until the lowest common denominator "gets it"
There is a great deal of important information in play here. If the lowest common denominator has to put up with worms to protect it, I can live with that. I cannot live with dangerous information becoming public so 3rd graders can usr their 'puter to chat about whatever it is third graders chat about.
Like my grandma who "just wants to read her e-mail and surf the net"?
It the shoe fits...
I'm not trying to insult your grandmother here, but it seems to me you want me to wait for her to get up to speed on network security before *I* can defend myself against potential worms. That's absolutely insane. I would be more inclined to agree to take her computer away until she learned how to operate it. But I'm not even close to agreeing to that.
So we leave responsible people in the dark (and at risk) until every last irresponsible person gets a clue. Let's not reduce important work to the lowest common denominator, ok?
I don't care if "most people won't install a quick fix for a security hole even if it was available from day 1," I will, so let me protect my network and let their networks burn.
Because the people you're talking about have shown that they will not install a patch *months* after "a major security upgrade is released," so how does this security model help at all? Hell most of them aren't even aware of the vulnerability untill their machines slow to a crawl and they hear about a new worm on the local news. So why should I wait for them to patch before I protect myself?
So instead of a limited group of professional people exploiting the security hole we invite the whole world to join the party?
If people are turning off/blocking the service, where is the party? No service, no exploit, get it?
Oh, you're refering to the people doing a half-ass job at protecting their networks, Yeah they will be having some fun playing catch-up.
So if some people have figured out an exploit in software and are exploiting it, then revealing it to the whole world is a... service?
Yes, it allows me to turn the software off, or take the machines down running it until I can patch it. Keeping me in the dark is doing me a disservice.
That fact that a good deal of people are not vigilant about security and let their machines get exploited is no reason those of us who are vigilant should be penalized.
And I realize that 24 hours is not a lot of time to install a patch, but If you're serious about security, you stay up all night applying them if need be, and have vulnerability alerts going to a pager or cell phone. I don't understand how keeping it a secret and leaving people vunerable is better than allowing them to take *any* action to fix it.
You don't have to wait for the patch to shut down a service, or switch off a feature. As far as I'm concerned there should be a preliminary warning the moment the vendor is aware of an expliotable service, and a patch made available ASAP. Then people paying attention can get on with their day, and those who aren't can get hit when the worm comes out (after the patch is released)
Wired Magazine argues that we need a second Moore's law, this time about overall efficiencies of our computers and other electronic devices.
We need less laws not moore! Let the industry regulate itself.
I can't believe that anyone would think moore gubmint regulation and red tape would make computers more efficient!!
Unbelievabe!
What about offering "site licenses" to businesses?
We license it both ways. Well more actually, site, group, 1-3-5-more licences, all which can be added after the fact. If they wanted more licences, they just had to contact us and we would grant the additional installs on the install server. All of these options were made availabele to them, in additon to two extra (not paid for) installs.
Clearly, your customers have demonstrated that your approach to them is inadequate.
No, what they have demonstrated is they would like to license *one* copy, and install it on *several* machines. Purchasing a site license was made available to these people, they instead opted to buy once install many.
Pissed off customers are customers who shop elsewhere
Customers pay for things. The people we're talking about stopped being "customers" when they installed the single license the third time, now the are "copyright infringers" Interesting you don't make the distinction.
Tried that, Doesn't help. They just click [next >] and try to install it on a second and third machine.
The existing legal climate works well to inhibit well-intentioned people from prirating.
You would think so, but this is often not the case. You are 100% correct about the people who would never buy it anyway, but modern anti-piracy technonologies focus on keeping the honest people honest, and not stopping college students.
The problem is, most people around the office (and at home) are not aware that loaning or giving a copy to a friend or co-worker is unauthorized. They really believe that they bought it, they can intall it wherever they want.
I helped author the technology over at GAPS and we had customers of our clients complain when they were unable to by one license and install it on more machines than the wrapper would allow. And we always allowed 2 additional installs per license. So, when they got to the fourth machine on a single machine license, we would get indignamt phone calls and/or e-mails, asking why it would not install. So the end-users not knowing when they are pirating is a huge problem.
It modifies itself in memory, not on the disk.
If you set a flag to keep it from doing so, as in setting the code section as read only, then the wrapper would not function.
Of course this means viruses could modify it in memory as well. But that's the price you pay.
There is just no reason for a program to ever modify its own executable code.
Apparently you've never written an anti-piracy wrapper for a Windows application.
That's how the good ones do it, by decrypting/modifying thier own binary code section in memory.
I guess as a GNU advocate, there is no need for anti-piracy programs,
but some people butter their bread writing software and they can't just give it away.
Luckily xmpcrd already lets my linux machine record, id3tag and ogg/mp3 encode XM Radio.
It can even search for substrings in songs/shows and record them as they appear.
I can timeshift CPAN Radio all day. Just what a your political junkie needs.
And now there is a new Punk Channel as well (Fungus 53). *Sweet*
In which RFC is this method described? Because you refered to "the" RFC Like there's only one or something.
Buy 5 powerfile jukeboxes. I use mine (only one) with MythVideo and some homebrew perl scripts. But If you get five of them you would just have to write a script to change disks and call mplayer or xine on the disc itself. You can get them on eBay for $400-$700 or buy them new for $1500-$2000.
If you don't mind compressing the movies then You can get 4, 640x480 resolution divx4 br:1800 movies per disc. And if you understood all the above you are well on your way.
If you designed and produced cars on a typical programmer's development schedule, you would probably have to pour oil into them while running to keep the fluid levels right.
And they would just explode for no reason sometimes.
Negative.
I use a Vox2 docking station. You wire it (plug it into a jack) to your house wiring and any existing phone can use your cell to dial out. (You press # for send) No land line required.
Applicants must have 10 Years Windows 2000 experience or 10 Years Solaris 9 experience.
Your cell phone won't say Oh Shit! When you are about to hit someone. A passenger will.
Military HMMWV will do 100 MPH, The reason the convoys go so slow is the convoy marching orders usually include a maximum convoy speed. But Get one of them on the German autobahn, and you can GO!
They same one all able-bodied males at least 17 years of age and, except as provided in section 313 of title 32, under 45 years of age who are, or who have made a declaration of intention to become, citizens of the United States and of female citizens of the United States who are members of the National Guard are in. How about you?
http://www4.law.cornell.edu/uscode/10/311.html
I would always choose to protect those who choose to be informed than the willfully ignorant.
Why sbould the people who take the time to keep informed be sacrificed to protect the people who have shown that they won't install a patch if it's been in the mainstream press for a month.
'I wish those people just would be quiet.'
I wish they would too. There is nothing worse than finding an exploit that gives me total access to any network I want, and then when some other chucklehead finds it, blabs all over the net, and then Network Administrators start locking down the ports I use to run willy-nilly through their network. I would have about another month to own their network before the patch comes out. But noooo, some jerkhead has to cut me off a month early. And I have to find an unknown exploit all over again.
Maybe I should post anonymously, nah to hell with it.
How does your workplace compare?
M an ual Proxy configuration [localhost] [3128]
They're ignorant...
ssh home_squidhost -L 3128:127.0.0.1:3128
Mozilla->Edit->Preferences->Advanced->Proxies->
I call it my tunnel-O-porn, but seriously, I don't need them snarfing my slashcookie.